Experts bust Android security myths

Thanks to its inherent "openness," the open source Android OS is vulnerable to a variety of security risks, but how often do people you know actually fall victim to Android malware or other attacks?

Is the Android security risk overstated? Is the Android risk really greater than the risks posed by its iOS and Windows Mobile counterparts? And what can users, and the enterprise IT departments that support them, do to better protect their Android devices?

We asked these questions, and more, to a variety of mobile security experts from companies including Cisco, Dell and Lookout. Here's what they had to say:

Android security threat is real 
Android malware that affected U.S. users increased by 75 percent from 2013 to 2014, according to security firm Lookout's "2014 Mobile Threat Report."

"That's a significant jump, predominantly driven by an increase in ransomware, a nasty form of malware that locks a person's device and demands money in exchange for reinstated access," says Michael Bentley, Lookout's senior manager of security research and response.

Android devices were the targets of 97 percent of all mobile malware in 2014, according to Pulse Secure's "2015 Mobile Threat Report." And the Android security risk level "increased substantially year-over-year," says Troy Vennon, director of Pulse Secure's Mobile Threat Center. In 2012, there were 238 specific Android malware threat "families," and that number jumped to 804 in 2013 and 1,268 in 2014, according to Vennon.

At least 15 million mobile devices were infected with malware in September 2014, according to a report from Alcatel-Lucent's Kindsight Security Labs. Of those devices, 60 percent were Android smartphones and about 40 percent were Windows PCs that connected to the Web via mobile networks. Windows Mobile, iOS, BlackBerry and Symbian devices represented less than 1 percent of mobile malware infestations.

Symantec's 2015 "Internet Security Threat Report" says 17 percent of all Android apps (nearly a million) are malware in disguise. In comparison, Symantec uncovered approximately 700,000 Android malware apps in 2013.

Android more vulnerable than iOS, Windows Mobile
Android is more vulnerable than iOS because of its OS fragmentation, according to Geoff Sanders, cofounder and CEO of LaunchKey.

"Even when Google releases a security patch, it's ultimately up to the [device] manufacturer to provide this patch to end users," Sanders says. "This puts many more users at risk as their devices age."

The overall risk level for Android is also higher because it's the most popular mobile OS, according to Bojan Simic, CTO of HYPR Corp.

Apple deploys iOS only on its own devices, so the company has "far better control and knowledge of risk," Simic says. Apple's app verification system is also significantly more rigorous than Google's process in the Play store, and it results in less malware, according to Simic.

Windows Mobile users are safer due to the rule of "security by obscurity," Simic says. "Most hackers will direct their efforts where the biggest payoff is, and right now that target is Android due to its sheer amount of users.

Android security threat is real but 'overblown'
The mobile security threat exists, but it is "overblown," according to new research from Damballa. For its spring 2015 report, the company monitored about 50 percent of U.S. mobile traffic (including but not limited to Android). Damballa concluded that mobile users are 1.3 times more likely to be struck by lightning than to have their mobile devices compromised by malware.

"This research shows that mobile malware in the Unites States is very much like Ebola -- harmful, but greatly over exaggerated, and contained to a limited percentage of the population that is engaging in behavior that puts them at risk for infection," said Charles Lever, a Damballa senior scientific researcher, in a press release on the company's website.

Mark Hammond, senior manager for Cisco Security Solutions, agrees the Android threat has been greatly exaggerated. "The threat of Android malware is also directly associated with the source. If the average user is sticking with a well-regulated app store, like Google Play, then the risk of malware diminishes significantly."

The mobile malware threat is "really minimal," according to John Gunn, vice president of VASCO Data Security. While many people have some sort of malware on their computers, "few know anyone who has had malware on their mobile device," he says.

Verizon's 2015 "Data Breach Investigations Report" also concluded that "mobile threats are overblown," and "the overall number of exploited security vulnerabilities across all mobile platforms is negligible."

The risk of malware making its way into a native Android app is lower than ever thanks to Google's automated scanning and other new security improvements, according to Terry May, an Android developer with Detroit Labs. Google "reinforced the Android sandbox with SELinux and enhancements to the Google Play services library that can scan for vulnerabilities on the local device and not just the apps in the store," May says. "This means that even apps that have been side-loaded can be scanned."

Less than 1 percent of Android devices had a potentially harmful app (PHA) installed in 2014, and the number of PHAs on Android devices dropped by 50 percent between the first and fourth quarters of last year, according to a Google Online Security Blog post published by Android security lead engineer Adrian Ludwig in April 2015. Less than 0.15 percent of devices that only installed apps from Google Play had a PHA installed last year, Ludwig wrote.

The bottom line is that malware attacks "are increasing because users are spending more time on mobile devices than ever before, the value of the data on mobile keeps increasing, and a single OS (Android) dominates the market, increasing the footprint for attackers," says Domingo Guerra, president and cofounder of Appthority.

However, mobile malware isn't necessarily more prevalent. "Although the number of mobile malware apps is definitely booming, so is the number of good and benign apps," Guerra says
- See more at: http://www.channelworld.in/features/experts-bust-android-security-myths#sthash.D3A1r4ZO.dpuf

Pacnet's corporate IT network breached, warns Telstra

Telstra has advised Pacnet customers, staff and regulators in relevant jurisdictions of a security breach that allowed third party access to Pacnet’s corporate IT network.

The breach occurred prior to Telstra taking ownership of Pacnet and Telstra was made aware of the breach on finalization of the purchase on 16 April 2015.

Group Executive of Global Enterprise Services Brendon Riley said Telstra had taken immediate action to protect the security of the network once it was informed of the breach.

“Our investigation found a third party had attained access to Pacnet’s corporate IT network, including email and other administrative systems, through a SQL vulnerability that enabled malicious software to be uploaded to the network,” Riley said.

“To protect against further activity we rectified the security vulnerabilities that allowed the unauthorized access. We have also put in place additional monitoring and incident response capabilities that we routinely apply to all of our networks.

“Now we have addressed the breach and understand its potential impacts we are in the process of advising our Pacnet customers worldwide of what occurred and reassuring them that we are now applying the same high level of security we apply to Telstra’s networks.”

The Pacnet corporate IT network is not connected to Telstra and there has been no evidence of any activity on Telstra’s networks.

Riley said there had been no contact from the perpetrators nor did Telstra know the reason for the breach.

“Our focus is not on attribution. Our focus is working with our customers to understand and minimize the impact to them and to give them confidence that we will apply Telstra’s very high security standards to the Pacnet IT network,” Riley said.

“Protecting the information of our customers and people is critically important to Telstra. We make significant investments in security capabilities and work around the clock globally to keep our customers’ data safe and our networks secure.”

FBI: Banned Security Researcher Admitted to Hacking Plane In-Flight

A security researcher who was pulled out from a United Airlines flight last month had previously admitted to Federal Bureau of Investigation (FBI) that he had taken control of an airplane and made it fly briefly sideways.

Chris Roberts, the founder of One World Labs, was recently detained, questioned and had his equipment taken by federal agents after he landed on a United flight from Chicago to Syracuse, New York following his tweet suggesting he might hack into the plane's in-flight entertainment system.

In that particular tweet, Roberts joked: "Find me on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? 'PASS OXYGEN ON' Anyone? :)"

The federal agents addressed the tweet immediately and took it seriously following the Roberts’ capabilities of such hacking tactics.

In the FBI affidavit first made public Friday - first obtained by APTN National News - Roberts told the FBI earlier this year about not once, but repeatedly hacking into aircrafts' in-flight entertainment (IFE) systems while on board.

"During these conversations, Mr. Roberts stated ... he had exploited [flaws] with IFE systems on aircraft while in flight. He compromised the IFE systems approximately 15 to 20 times during the period 2011 through 2014," FBI Special Agent Mark Hurley wrote in his application. "He last exploited an IFE system during the middle of 2014."

How the researcher made this possible?
The documents claim that Roberts connected his laptop to the plane’s IFE system via a modified Ethernet cable, allowing him to access other airplane systems.

During at least one instance, Roberts reportedly claimed to have overwritten the code on the airplane's Thrust Management Computer while aboard a flight and successfully controlled the system to issue the climb command.
By issuing the ‘CLB’ or climb command, Roberts "caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane," according to the FBI warrant application.

No Systems were Harmed:
Roberts claimed via Twitter that no systems were harmed during the trip. Moreover, Roberts told Wired in an interview that the FBI has taken his remarks about hacking "out of context" of their discussions with the agency.

Roberts claimed that he had only watched data traffic on airplanes, and he has only attempted the hack in a simulated environment because he believed that such hack attacks were possible.

"It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others," he said, declining to elaborate further.

Since this incident, United Airlines has launched a bug bounty program inviting security researchers and bug hunters to report vulnerabilities in its websites, apps and web portals.

Roberts has neither been arrested by the FBI nor charged with any crime.

Philippines, Taiwan are latest targets of 'Operation Tropic Trooper' malware

Despite the ongoing trend of cyberattacks in the region, some governments and companies are proving to be behind the curve when it comes to using proactive methods and technologies like vulnerability patching, security training, and antimalware detection to protect themselves.

The Philippines and Taiwan are the latest targets of “Operation Tropic Trooper,” an ongoing campaign that has been found to be using old infiltration tactics—two commonly exploited Windows vulnerabilities, social engineering methods, and basic steganography—to steal state and industry secrets since 2012, according to Trend Micro.

Throughout March to May 2015, Trend Micro's researchers noted that 62% of the Tropic Trooper-related malware infections targeted Taiwanese organizations while the remaining 38% zoned in on Philippine entities.

Specific targets included government institutions, military agencies, and companies in the heavy industry in the countries mentioned.

Threat actors of the campaign are familiar with their target organizations’ networks and know which hooks to use to bait them. By crafting spear-phishing emails attached with seemingly interesting documents that hint at planned bombings, resumes, or government budget, the attached documents attacked two commonly exploited Windows vulnerabilities, CVE-2010-3333 and CVE-2012-0158 to be able to run a Trojan.

click to enlarge

The Trojan, TROJ_YAHOYAH, eventually downloads and decrypts a malicious image or decoy file. The downloaded images appear harmless and look similar to default wallpapers in Windows XP systems. However, encrypted into them via simple steganography is BKDR_YAHAMAM, a malware that steals data from the system, kills processes and services, deletes files and directories, puts systems to sleep, and performs other backdoor capabilities.

Government agencies, military organizations, and heavy industries all harbor secrets that may prove detrimental if destroyed or stolen. The routines found in Operation Tropic Trooper are relatively less sophisticated compared to other targeted attack campaigns, but it has shown that similar targets may still be successfully infiltrated using the same old tactics. Unfortunately, even old threats may work against networks that store highly sensitive information.

It is important to note that the infiltration could have been prevented or prepared for using proactive methods and technologies like vulnerability patching, security training, and antimalware detection.

As of the first half of this year, almost 17% of systems in Taiwan and 13% in the Philippines still run on Windows XP. Given that it takes a longer for larger agencies to upgrade their systems, there is a high probability that the targets of this campaign still use the legacy OS. There is also a possibility that the threat actors used this form of steganography because they either still use the outdated OS themselves or have in-depth knowledge of it.

It is vital for governments and companies to look into threat intelligence and establishing a custom defense strategy for network administrators to not be victimized by Operation Tropic Trooper and other similar attacks.